Skip to content
English
  • There are no suggestions because the search field is empty.

Using RapidIdentity as an IdP

Step 1: Add CharacterStrong to RapidIdentity

  • Access the SAML SSO Advanced Settings from the Configuration menu and select Federation Partners from the left-hand menu items.
  • Click "Edit" on an existing federation partner or create a new one.
  • Click on the "Create SAML Relaying Party" button and enter the following information:
    • Name: CharacterStrong
    • Metadata: Download the metadata from the CS SAML Metadata Step 1 section of the CharacterStrong SAML configuration guide.
  • Modify the metadata to add the following sections right after <md:SPSSODescriptor line. 
    This is a temporary workaround for RapidIdentity - we are working to have this added automatically into the CS-generated SP metadata.
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>MIIDSDCCAjCgAwIBAgIEIfL7EjANBgkqhkiG9w0BAQsFADBVMSIwIAYDVQQDExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMSIwIAYDVQQKExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMQswCQYDVQQGEwJVUzAeFw0yNDAxMjYwMzIxMThaFw0yOTAxMjQwMzIxMThaMFUxIjAgBgNVBAMTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExIjAgBgNVBAoTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiCUNy4j8/KyDW3jwmB9bfUxNqtcnuU+C9DPrPLETtngzfofTvS7LA1My+fxtELVn3yxMRleOvmaFUuP0QUDdsZkbj0ztE7qg7e2DCByErx8Gk9EwTYIzAAiI2W5xlJ0/JcB2KtKbJVFo7ldF6NKWbobXQgpfDh5ut8MwwIBO4/wwrRhmeu+HvJmNyvOErjYXWnLSZKBKte1qAMMuiuYd0U3UXHjFDiAns41n0OW1JSYeG5zXSG7OSorcwAEIOHQb1o6PqUL4nnc5U5H2RRGzKYaDuyd6AOoZAobeNHWvVHhj0FmZQQjgHbpxSbPKdMQo5NaYC2OkxDyXEwvl1dCrbQIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAcfez2cFzwOj1DSB6fJHtyiF/cOdTWW2BWC3Wu5rcCL5AqIrkgTe+Ug6m5MRc5Al7A0+E7CnJlIe3TiG+aNyXErp43qsxJShMAoLSBFzrtV/b1v7mjQlbpqhChhzJkGuOD2I4X3pPx/JyA5FCQ8M2Qlxc2jaOiX7iX02Q6RhgFP7W/bxQxs3alcLNVFUhIyLnD+w3MXIUpPkXAdbL3J7ddEENHNIB9k2TfNPWhA+GqzXlbQlTDuNy34xPUTe/0OJuGF6fFMQkqnokFul8OsKJU+mX/ZGCOZGwJifZ2sitMUqRiJxzXZ/IJN36uC/OLhmUz2Pps6Fz/cZLQbhW1YtdMw==</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>MIIDSDCCAjCgAwIBAgIEIfL7EjANBgkqhkiG9w0BAQsFADBVMSIwIAYDVQQDExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMSIwIAYDVQQKExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMQswCQYDVQQGEwJVUzAeFw0yNDAxMjYwMzIxMThaFw0yOTAxMjQwMzIxMThaMFUxIjAgBgNVBAMTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExIjAgBgNVBAoTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiCUNy4j8/KyDW3jwmB9bfUxNqtcnuU+C9DPrPLETtngzfofTvS7LA1My+fxtELVn3yxMRleOvmaFUuP0QUDdsZkbj0ztE7qg7e2DCByErx8Gk9EwTYIzAAiI2W5xlJ0/JcB2KtKbJVFo7ldF6NKWbobXQgpfDh5ut8MwwIBO4/wwrRhmeu+HvJmNyvOErjYXWnLSZKBKte1qAMMuiuYd0U3UXHjFDiAns41n0OW1JSYeG5zXSG7OSorcwAEIOHQb1o6PqUL4nnc5U5H2RRGzKYaDuyd6AOoZAobeNHWvVHhj0FmZQQjgHbpxSbPKdMQo5NaYC2OkxDyXEwvl1dCrbQIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAcfez2cFzwOj1DSB6fJHtyiF/cOdTWW2BWC3Wu5rcCL5AqIrkgTe+Ug6m5MRc5Al7A0+E7CnJlIe3TiG+aNyXErp43qsxJShMAoLSBFzrtV/b1v7mjQlbpqhChhzJkGuOD2I4X3pPx/JyA5FCQ8M2Qlxc2jaOiX7iX02Q6RhgFP7W/bxQxs3alcLNVFUhIyLnD+w3MXIUpPkXAdbL3J7ddEENHNIB9k2TfNPWhA+GqzXlbQlTDuNy34xPUTe/0OJuGF6fFMQkqnokFul8OsKJU+mX/ZGCOZGwJifZ2sitMUqRiJxzXZ/IJN36uC/OLhmUz2Pps6Fz/cZLQbhW1YtdMw==</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
  • From the Federation Partners configuration screen, click on SSO Settings. Enter the following settings:
    • SAML2 Assertion Lifetime: 5 minutes
    • NotBefore Skew: 0s
    • Sign SAML2 SSO Response: Always
    • Sign SAML2 SSO Assertions: Never
    • Encrypt SAML2 SSO Assertions: Never
    • Encrypt SAML2 SSO Name IDs: Never
    • Signature Algorithm: RSA SHA-1
  • Update the configuration to send the following attributes. Details about how to add attributes can be found on RapidIdentity's documentation
    • First Name (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
      • firstname
    • Last Name (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
      • lastname
    • Email Address (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
      • mail
    • Role (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
      • role
    • Organization (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
      • organization
  • Add a NameID attribute and set it to be the user's email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
    • nameid
  • Trigger a service reload.
  • Continue the CharacterStrong SAML setup.

More details can be found on RapidIdentity's documentation.